The real interesting part for me was how one can use relayd to intercept SSL (https) connections. (Now you can be just like the NSA...) and why it is bad for the whole https system when certificate authorities are hacked.

I chose « testing_relayd » as password, you will need it in relayd.conf file, and the « ca.crt » need to be installed on all the computers in the network (lan).

Besides creating client certificates and putting them on all the client computers, the paper explains how hacking a certificate authority works just as well:

Quote:

Another solution is to obtain an official CA with private key or to get an intermediate CA - a local CA signed by an official CA. Getting an official CA or intermediate CA for SSL Interception is normally only possible for governmental authorities (e.g. TURKTRUST in Turkey), or people who have access to a possibly compromised CA (e.g. DigiNotar in the Netherlands).

As the paper says,

Quote:

"SSL Interception" is a fairly common feature in commercial firewall products, for example from Juniper[5] or Check Point[4], why shouldn't it be freely available in OpenBSD as open source software? This might even have the effect that the increased availability of the feature will raise the awareness of the problem and lead to practical solutions in the future."

Let us hope that there is more awareness of the weaknesses in the https system and that a better system is developed.